token_auth authentication bypass

[hass]

If I call the flash applets with token_auth=anonymous they are shown nevertheless anonymous do not have view permissions.

If I do the same with JSON api call access is blocked.

Repro: 1. Log into Piwik website (now you are authenticated with your "adminstrator") 2. Request JSON data with token_auth=anonymous 3. You receive access denied to site 1 4. Request flash widget with token_auth=anonymous 5. Widget is shown, but shouldn't.

Additional to this it would be great if the Flash applet wouldn't return only the below if access has been denied. It's not very easy for users to understand what happened here.

Open Flash Chart

JSON Parse Error [Syntax Error]
Error at character 0, line 1:

0: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1

[vipsoft]

Sorry, I should have been more clear in #790. token_auth is used for API calls; token_auth is not used for authentication in iframes or flash widgets.

In your test case, the API request for JSON formatted data failed as expected. The reason the flash widget succeeded is because you were logged in and Piwik used the authenticated login session. While the Flash widget does use JSON formatted data, the data stream contains additional information required by Open Flash Chart, and as such, it is not the same data as an API request for JSON data.

Please keep an eye out for #283 (or #804).

[hass]

I *need* to be able to authenticate the flash data request with token_auth. Drupal user do not need to log into piwik website. They see all standard statistics in the reports section. I do not need to authenticate the swf file themself... only the data that is used to build the flash chart.

[hass]

Here is an example URL that doesn't allow me to get the flash data:

/piwik/index.php?module=UserSettings&action=getOS&idSite=1&period=month&date=2009-06-29&filter_limit=10&filter_sort_column=nb_uniq_visitors&filter_sort_order=desc&viewDataTable=generateDataChartPie&token_auth={my token_auth}